Skip to content

SEAL Certification Framework

SEAL/InitiativeCertifications

SEAL Certifications is an open-source operational security certification program for crypto protocols. Smart contract vulnerabilities were once the dominant cause of crypto exploits; operational failures now dominate. Compromised signers, poorly managed multisigs, DNS takeovers, leaked credentials, unmonitored infrastructure, and missing incident response playbooks account for the majority of major incidents. Code audits don't catch these, because the code isn't the issue.

SEAL Certifications target exactly this gap. The framework evaluates the operational practices that determine whether a protocol can actually defend itself, detect an incident, and respond when things go wrong.

Certification Modules

The framework covers six modules, each independently scopeable:

  • Multisig Ops — Governance, signer security, transaction verification, emergency procedures
  • Treasury Ops — Treasury architecture, transaction security, custody, DeFi risk management
  • Incident Response — Threat modeling, monitoring, response playbooks, drills
  • DevOps & Infrastructure — Development environment, source code, CI/CD, cloud infrastructure, supply chain
  • DNS & Registrar — Domain management, DNS controls, registrar security, email authentication
  • Identity & Accounts — Organizational account inventory, phishing-resistant MFA, credential management, takeover monitoring

See the changelog for revision history across modules.

How Certification Works

SEAL maintains the framework and accredits auditing firms. Accredited firms perform the assessments; SEAL issues the on-chain certification.

An engagement runs through five steps:

  1. Scoping. Align on which controls apply and what infrastructure is in scope.
  2. Evidence collection. The protocol team gathers documentation and evidence that their practices meet the framework controls.
  3. Assessment. The firm reviews evidence against the open-source framework criteria.
  4. Remediation (if needed). The firm provides recommendations to close any gaps. The protocol team implements fixes.
  5. Certification. Protocols that meet the standard receive a formal on-chain attestation via the Ethereum Attestation Service (EAS), publicly and cryptographically verifiable.

A typical engagement runs a few weeks. Protocols can also use the framework independently for self-assessment at any time.

See Certification Guidelines for the full process and Certified Auditors for accredited firms.

Program Status

The framework has been validated through pilot analyses with protocols across DeFi, staking, treasury management, and infrastructure, plus feedback sessions with auditing firms and independent security researchers. Controls have been refined through that process and are now published.

The program is moving from pilot validation into active certification, starting with supervised first engagements through accredited firms.

Get Involved

  • Protocols interested in a certification engagement or a consultation with the SEAL team on the framework: sign up here.
  • Auditing firms and independent security researchers interested in becoming an accredited third-party certification issuer: apply here.

FAQ

What's the difference between self-assessments and certified audits?

Self-assessments are completed by the protocol team using the SEAL Certifications framework as a guide. They help protocols internally evaluate their own security posture and identify gaps. Self-assessments are not verified by a third party.

Certified audits are completed by a third-party accredited firm through SEAL's partner program. The firm independently evaluates the protocol's security controls against the framework. Upon successful completion, protocols receive a formal attestation on-chain.

What is an attestation?

Attestations are certificates issued on-chain through the Ethereum Attestation Service (EAS) by SEAL to protocols that successfully complete a certified audit. Attestations serve as verifiable proof that a protocol has met the requirements of a given SEAL certification.

Attestations do not indicate a protocol is free from security issues. Blockchain security evolves continuously and novel vulnerabilities arise regularly. Attestations demonstrate that a protocol has implemented a set of standardized operational practices to manage and mitigate risk.

What if a protocol doesn't meet all the certification requirements?

Protocols that don't meet all requirements receive a report from the auditor detailing the gaps. If the protocol addresses the gaps, they can work with the auditor to complete a re-assessment.

What kind of evidence is required?

Evidence varies by certification and control. Protocols generally provide documentation, screenshots, or other artifacts demonstrating implementation of each control: a signer registry for multisig, incident response playbooks, DNS configuration records, and so on.

Who can see our attestation?

Attestations are publicly accessible on-chain through EAS. Detailed audit reports and evidence shared during the assessment process are confidential between the protocol and the auditor.

Can we use the SEAL badge?

Protocols that successfully complete a certified audit receive a badge from SEAL to display on their website or documentation.

Is there a list of certified protocols?

SEAL will maintain a public list of certified protocols as the program launches.

How can auditors become accredited?

SEAL accredits third-party auditing firms through a supervised first engagement. See Certified Auditors for the process.

Can a protocol lose its certification?

Yes. Certifications can be revoked if a protocol is found to be non-compliant for an extended period. Certifications are also time-limited and require periodic re-assessment.